This is a post to finally put this idiocy to rest: “If you can DETECT, why can’t you PREVENT!?”
Here are my top 5 reasons why DETECTION excellence does NOT automatically mean you can have PREVENTION:
- Uncertainty – prevention [blocking] is black and white (switch open / closed), and requires 100.0% dead certainty of a decision to block. Detection is much more “shades of gray”, inherently and by design.
- Timing – some threats (like all sorts of stealthy malware) can be detected when you have been collecting data for days, how do you prevent based on day-old data? Detection a day late is still useful, but it does not translate to prevention.
- Vague signals – you can give a vague signal to a human analyst and he will use it to uncover a threat, but you can’t drop a vague signal down to that UTM appliance. Vague signals is exactly how some of the notable threats of the past have been detected, all the way down to 1986.
- False positives – some detection methods have very high “false positives” (for all sorts of good reasons) yet are very useful for threat detection, especially of those threats that are hard/impossible to detect otherwise. Will you accept 10% FP rate in your blocking tool? No, I guess not. Me neither. Will I accept a 90% FP rate GIVEN (and that matters!) small number of alerts if I can catch unique threats? Yes, I will, and so should you.
- Detecting from exploration – current interest in threat hunting (and deception) reminds us that there are threat detection / threat discovery approaches that rely on data exploration and interactive analysis by a human analyst and (in some cases of deception) even on interaction with an attacker. Can these be “extrapolated” to prevention? Not really.
So, PREVENTION – DETECTION – RESPONSE lives on!
Finally, let me addess a related idiocy: “prevention is better than cure – so we will only buy preventative tools, NOT detection or response.” So, OF COURSE “prevention is better than cure” – just like “teleportation is better than driving.” How do you get around? Ah, you drive…hmm … why, if you agree that teleporting would be better?! Exactly – we do NOT know how to PREVENT ALL THREATS. In fact, we KNOW that it is NOT POSSIBLE…..
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.